Risk-based auditing is a style of auditing which focuses upon the analysis and management of risk.
In the UK, the 1999 Turnbull Report on corporate governance required directors to provide a statement to shareholders of the significant risks to the business. This then encouraged the audit activity of studying these risks rather than just checking compliance with existing controls. [1]
Standards for risk management have included the COSO guidelines and the first international standard, AS/NZS 4360. [2] The latter is now the basis for a family of international standards for risk management — ISO 31000.
A traditional audit would focus upon the transactions which would make up financial statements such as the balance sheet. A risk-based approach will seek to identify risks with the greatest potential impact. Strategic risk analysis will then include political and social risks such as the potential effect of legislation and demographic change. [3]
An experiment suggested that managers might respond to risk-based auditing by transferring activity to accounts which are ostensibly low risk. Auditors would need to anticipate such attempts to game the process. [4]
Accounting, also known as accountancy, is the processing of information about economic entities, such as businesses and corporations. Accounting measures the results of an organization's economic activities and conveys this information to a variety of stakeholders, including investors, creditors, management, and regulators. Practitioners of accounting are known as accountants. The terms "accounting" and "financial reporting" are often used interchangeably.
Project management is the process of leading the work of a team to achieve all project goals within the given constraints. This information is usually described in project documentation, created at the beginning of the development process. The primary constraints are scope, time, and budget. The secondary challenge is to optimize the allocation of necessary inputs and apply them to meet pre-defined objectives.
In management accounting or managerial accounting, managers use accounting information in decision-making and to assist in the management and performance of their control functions.
Financial statements are formal records of the financial activities and position of a business, person, or other entity.
The ISO 9000 family is a set of five quality management systems (QMS) standards by the International Organization for Standardization (ISO) that help organizations ensure they meet customer and other stakeholder needs within statutory and regulatory requirements related to a product or service. ISO 9000 deals with the fundamentals of QMS, including the seven quality management principles that underlie the family of standards. ISO 9001 deals with the requirements that organizations wishing to meet the standard must fulfill. ISO 9002 is a model for quality assurance in production and installation. ISO 9003 for quality assurance in final inspection and test. ISO 9004 gives guidance on achieving sustained organizational success.
An audit is an "independent examination of financial information of any entity, whether profit oriented or not, irrespective of its size or legal form when such an examination is conducted with a view to express an opinion thereon." Auditing also attempts to ensure that the books of accounts are properly maintained by the concern as required by law. Auditors consider the propositions before them, obtain evidence, roll forward prior year working papers, and evaluate the propositions in their auditing report.
A financial audit is conducted to provide an opinion whether "financial statements" are stated in accordance with specified criteria. Normally, the criteria are international accounting standards, although auditors may conduct audits of financial statements prepared using the cash basis or some other basis of accounting appropriate for the organization. In providing an opinion whether financial statements are fairly stated in accordance with accounting standards, the auditor gathers evidence to determine whether the statements contain material errors or other misstatements.
Forensic accounting, forensic accountancy or financial forensics is the specialty practice area of accounting that investigates whether firms engage in financial reporting misconduct, or financial misconduct within the workplace by employees, officers or directors of the organization. Forensic accountants apply a range of skills and methods to determine whether there has been financial misconduct by the firm or its employees.
An audit committee is a committee of an organisation's board of directors which is responsible for oversight of the financial reporting process, selection of the independent auditor, and receipt of audit results both internal and external.
An auditor's report is a formal opinion, or disclaimer thereof, issued by either an internal auditor or an independent external auditor as a result of an internal or external audit, as an assurance service in order for the user to make decisions based on the results of the audit.
Assurance service is an independent professional service, typically provided by Chartered or Certified Public Accountants or Chartered Certified Accountants, with the goal of improving information or the context of information so that decision makers can make more informed, and presumably better, decisions. Assurance services provide independent and professional opinions that reduce information risk.
An information technology audit, or information systems audit, is an examination of the management controls within an Information technology (IT) infrastructure and business applications. The evaluation of evidence obtained determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively to achieve the organization's goals or objectives. These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form of attestation engagement.
A going concern is an accounting term for a business that is assumed will meet its financial obligations when they become due. It functions without the threat of liquidation for the foreseeable future, which is usually regarded as at least the next 12 months or the specified accounting period. The presumption of going concern for the business implies the basic declaration of intention to keep operating its activities at least for the next year, which is a basic assumption for preparing financial statements that comprehend the conceptual framework of the IFRS. Hence, a declaration of going concern means that the business has neither the intention nor the need to liquidate or to materially curtail the scale of its operations.
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes. Internal auditing might achieve this goal by providing insight and recommendations based on analyses and assessments of data and business processes. With commitment to integrity and accountability, internal auditing provides value to governing bodies and senior management as an objective source of independent advice. Professionals called internal auditors are employed by organizations to perform the internal auditing activity.
Materiality is a concept or convention within auditing and accounting relating to the importance/significance of an amount, transaction, or discrepancy. The objective of an audit of financial statements is to enable the auditor to express an opinion on whether the financial statements are prepared, in all material respects, in conformity with an identified financial reporting framework, such as the Generally Accepted Accounting Principles (GAAP) which is the accounting standard adopted by the U.S. Securities and Exchange Commission (SEC).
Internal control, as defined by accounting and auditing, is a process for assuring of an organization's objectives in operational effectiveness and efficiency, reliable financial reporting, and compliance with laws, regulations and policies. A broad concept, internal control involves everything that controls risks to an organization.
In financial auditing of public companies in the United States, SOX 404 top–down risk assessment (TDRA) is a financial risk assessment performed to comply with Section 404 of the Sarbanes-Oxley Act of 2002. Under SOX 404, management must test its internal controls; a TDRA is used to determine the scope of such testing. It is also used by the external auditor to issue a formal opinion on the company's internal controls. However, as a result of the passage of Auditing Standard No. 5, which the SEC has since approved, external auditors are no longer required to provide an opinion on management's assessment of its own internal controls.
Entity-level controls are controls that help to ensure that management directives pertaining to the entire entity are carried out. They are the second level of a to understanding the risks of an organization. Generally, entity refers to the entire company.
ISO/IEC 27001 is an international standard to manage information security. The standard was originally published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005, revised in 2013, and again most recently in 2022. There are also numerous recognized national variants of the standard. It details requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS) – the aim of which is to help organizations make the information assets they hold more secure. Organizations that meet the standard's requirements can choose to be certified by an accredited certification body following successful completion of an audit. The effectiveness of the ISO/IEC 27001 certification process and the overall standard has been addressed in a large-scale study conducted in 2020.